lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <vfzsx35yfz2rlyx2bc4fxwnrcyvshagf3lgzhef4pqrahpyigp@356wdo7gmbfw>
Date: Wed, 7 Jan 2026 00:04:51 +0000
From: Yosry Ahmed <yosry.ahmed@...ux.dev>
To: Sean Christopherson <seanjc@...gle.com>
Cc: Kevin Cheng <chengkev@...gle.com>, pbonzini@...hat.com, 
	kvm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] KVM: SVM: Generate #UD for certain instructions when
 SVME.EFER is disabled

On Tue, Jan 06, 2026 at 03:48:37PM -0800, Sean Christopherson wrote:
> On Tue, Jan 06, 2026, Yosry Ahmed wrote:
> > On Tue, Jan 06, 2026 at 10:21:40AM -0800, Sean Christopherson wrote:
> > > So rather than manually handle the intercepts in svm_set_efer() and fight recalcs,
> > > trigger KVM_REQ_RECALC_INTERCEPTS and teach svm_recalc_instruction_intercepts()
> > > about EFER.SVME handling.
> > > 
> > > After the dust settles, it might make sense to move the #GP intercept logic into
> > > svm_recalc_intercepts() as well, but that's not a priority.
> > 
> > Unrelated question about the #GP intercept logic, it seems like if
> > enable_vmware_backdoor is set, the #GP intercept will be set, even for
> > SEV guests, which goes against the in svm_set_efer():
> > 
> > 	/*
> > 	 * Never intercept #GP for SEV guests, KVM can't
> > 	 * decrypt guest memory to workaround the erratum.
> > 	 */
> > 	if (svm_gp_erratum_intercept && !sev_guest(vcpu->kvm))
> > 		set_exception_intercept(svm, GP_VECTOR);
> > 
> > I initially thought if userspace sets enable_vmware_backdoor and runs
> > SEV guests it's shooting itself in the foot, but given that
> > enable_vmware_backdoor is a module parameter (i.e. global), isn't it
> > possible that the host runs some SEV and some non-SEV VMs, where the
> > non-SEV VMs require the vmware backdoor?
> 
> Commit 29de732cc95c ("KVM: SEV: Move SEV's GP_VECTOR intercept setup to SEV")
> moved the override to sev_init_vmcb():
> 
> 	/*
> 	 * Don't intercept #GP for SEV guests, e.g. for the VMware backdoor, as
> 	 * KVM can't decrypt guest memory to decode the faulting instruction.
> 	 */
> 	clr_exception_intercept(svm, GP_VECTOR);
> 
> I.e. init_vmcb() will set the #GP intercept, then sev_init_vmcb() will immediately
> clear it.

That's not confusing at all :P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ